South Korea has handed down its largest-ever data privacy penalty, slapping e-commerce giant Coupang with a record 624.7 billion won — roughly $409 million — for a massive breach that exposed the personal data of tens of millions of its customers, the country’s Personal Information Protection Commission (PIPC) announced Thursday.
The fine comprises two separate penalties: 423.6 billion won for the breach itself, and an additional 201.1 billion won for unlawfully collecting online activity records of approximately 11.17 million users across third-party websites and apps without their consent.
The total figure comfortably eclipses the previous national record, the $88 million fine imposed on mobile carrier SK Telecom last year for its own data breach.
What happened
The breach, which first came to light in November 2025, is believed to have begun as early as June of that year. According to South Korean authorities, a former Coupang software developer, a Chinese national, retained a cryptographic authentication key after leaving the company and used it to gain unauthorized remote access to customer data for approximately a year.
The compromised information included names, phone numbers, shipping addresses, order histories, and in some cases, key codes used to enter residential buildings. Payment credentials and government-issued identification numbers were reportedly not accessed.
Regulators said personal data from around 37.5 million accounts was affected, more than 70% of South Korea’s entire population. Coupang, for its part, has maintained that only around 3,000 to 4,500 customer records were involved.
A failure of basics, not a sophisticated attack
Regulators were unsparing in their assessment of how the breach happened. PIPC Chairwoman Song Kyung-hee made clear this was no sophisticated cyberattack.
“This accident occurred due to Coupang’s lack of safety measures and systems, not sophisticated hacking,” Song said at a Thursday briefing, according to Reuters.
After the ruling, Coupang apologized for the distress caused to customers and the public, and pledged to bolster its data protection framework. But the company stopped well short of accepting the decision, strongly hinting at a legal challenge.
“We regret that our proactive measures to prevent secondary harm from last year’s data leak incident, as well as our explanations based on clear facts, were not sufficiently reflected in the PIPC’s decision,” the company said in a statement. “We expect that the facts will be clearly established through legal procedures.”
A heavy toll beyond the fine
The financial and reputational damage to Coupang runs deeper than the regulatory penalty. The company announced a compensation plan worth approximately 1.69 trillion won in platform vouchers for affected customers. CEO Park Dae-jun resigned in December 2025, with Harold Rogers stepping in as interim chief.
Coupang’s New York-listed shares have fallen around 32% year-to-date, and the company posted a $266 million net loss in the first quarter of 2026, partly driven by the cost of its voucher program.
Also read: Carnival says a data breach exposed the personal information of nearly 6 million customers after a social engineering attack.